HSTS Not Set


Description

The application does not use an HTTP Strict Transport Security (HSTS) policy. HSTS is a standard defined in RFC 6797 and set through an HTTP header that allows web sites to require the browser to use a secure channel for all communication with the web server. Even though an application is using HTTPS, the lack of the HSTS header means that sensitive data could be leaked over an insecure channel and captured by attackers. 

Custom Description

Impact

Risk Rating

Remediation

How To Test

Sample Report Screenshots

Time Saving Tips

Testing Gotchas

References

 

Subscribe here in order to gain access to the AppSec Findings Database

 

Leave a Reply